A security researcher, operating under the pseudonym "Srikanth L" and affiliated with CashlessConsumer, has alleged that the IDRBT's Domain Registration Portal, the exclusive registrar for India's .bank.in namespace, exposed over 33 unauthenticated API endpoints.
The campaign, dubbed "Poisoned Tenant" and discovered by Push Security, involves attackers creating fake OpenAI organizations using Gmail addresses but sending invitations from OpenAI's legitimate notification system.
The MCI program, launched in April, aimed to improve Meta's AI by analyzing employee interactions with computers, such as mouse movements and keyboard shortcuts.